POPIA has been fully enforceable since 1 July 2021. Most South African business owners know it exists. Fewer have done anything meaningful about it – particularly as it applies to their website.
That calculation is becoming riskier. The Information Regulator’s 2025/26 Annual Performance Plan, presented to Parliament’s Portfolio Committee on 5 May 2026, signals a materially tougher enforcement posture. Fines have already been issued: R5 million against the Department of Justice for failing to comply with an enforcement notice following a 2021 security compromise, R5 million against the Department of Basic Education for publishing matric results in newspapers against the Regulator’s instruction, R100,000 against Lancet Laboratories for failing to notify affected individuals of a data breach, and R100,000 against FT Rams Consulting for ignoring an enforcement notice relating to direct marketing. Legal proceedings are underway to recover several of these fines. Breach notifications have increased 40% in early 2025/26, with an average of 284 per month.
The Regulator is no longer warning. It is acting.
This guide is written specifically for South African business owners whose primary compliance surface is their website – the place where you collect personal information from visitors, customers, and leads every day. It covers what POPIA requires of your website, what most sites are currently getting wrong, and what you need to put in place to reach a defensible level of compliance.
This is not legal advice. For specific legal guidance, consult a qualified attorney with data protection expertise. What this guide provides is a practical operational framework – the decisions, configurations, and content your website needs – informed by current regulatory activity.
Who POPIA Applies To
POPIA applies to any person or organisation – public or private – that processes personal information in South Africa, or that processes the personal information of South African data subjects using means located in South Africa.
For website owners, this is almost universally applicable. If your website has a contact form, a quote request form, an email signup, a checkout, an analytics tool, or a cookie – you are processing personal information. If you are based in Johannesburg and your website collects the name, email address, or phone number of a visitor, you are a responsible party under POPIA and the Act applies to you in full.
There is no SME exemption. There is no revenue threshold. There is no ‘we’re too small to matter’ defence. The Act applies to a sole trader with a 3-page website in the same way it applies to a listed company with a national customer database.
The difference in practice is that the Regulator has, to date, focused its enforcement on larger entities and systemic failures. That focus is shifting. The 2025/26 Annual Performance Plan explicitly prioritises complaint resolution and own-initiative inspections across sectors, including direct marketing – one of the most common compliance failures on small business websites.
What POPIA Requires: The 8 Conditions for Lawful Processing
POPIA’s framework for lawful processing rests on eight conditions. These apply to every instance of personal information processing – including the information collected through your website. Understanding them at a practical level shapes everything else in this guide.
- Accountability – You, as the responsible party, are accountable for ensuring POPIA compliance across your organisation and with any third-party operators who process data on your behalf (your hosting provider, email marketing platform, CRM, payment gateway).
- Processing limitation – You may only collect personal information for a specific, explicitly defined, and lawful purpose. Collecting data ‘just in case’ or reusing it for purposes the data subject did not consent to is non-compliant.
- Purpose specification – The purpose for which you collect personal information must be disclosed at the point of collection, and data may not be retained for longer than necessary to achieve that purpose.
- Further processing limitation – You may not process personal information in a way that is incompatible with the original purpose for which it was collected.
- Information quality – Personal information must be complete, accurate, and not misleading.
- Openness – You must have a PAIA manual (for organisations with 50 or more employees) and a privacy policy that is accessible to data subjects.
- Security safeguards – You must take appropriate, reasonable technical and organisational measures to protect personal information against unauthorised access, loss, damage, or destruction.
- Data subject participation – Data subjects have the right to access their personal information, to request correction, and to object to its processing. You must have a mechanism to respond to these requests.
Each of these conditions has direct implications for how your website is built, what it collects, and what documentation you maintain. The sections below translate them into specific website requirements.
Your Privacy Policy: What It Must Actually Say
Most South African business websites either have no privacy policy at all, or have one copied from a template that was written for a different jurisdiction – often a GDPR-flavoured document that doesn’t address South African law or your actual data practices.
A POPIA-compliant privacy policy is not a legal formality. It is the primary mechanism through which you meet the openness condition, disclose your processing purposes, and give data subjects the information they need to exercise their rights.
A compliant privacy policy for a South African business website must include:
- The name and contact details of the responsible party (your business)
- The name and contact details of your appointed Information Officer
- A clear description of what personal information you collect and how
- The specific purpose or purposes for which you collect each type of information
- Whether you share personal information with third parties, and if so who they are and why
- How long you retain personal information and the criteria used to determine that period
- The security measures in place to protect personal information
- How data subjects can request access to, correction of, or deletion of their information
- How data subjects can lodge a complaint with the Information Regulator (inforegulator.org.za)
- Whether personal information is transferred outside South Africa and, if so, the safeguards in place
The policy must be accessible from every page of your website – typically linked in the footer – and must be written in plain, accessible language. A policy buried three levels deep in your terms and conditions does not constitute meaningful disclosure.
If your actual data practices have changed since your policy was last updated – because you added a new form, a new marketing platform, or a new analytics tool – your policy is out of date and needs to be revised.
Cookie Consent: What the Regulations Actually Require
Cookie consent is one of the most misunderstood areas of POPIA compliance for website owners. The confusion stems partly from conflating POPIA with GDPR, which has more prescriptive requirements around prior consent banners. POPIA’s cookie requirements are grounded in the processing limitation and openness conditions rather than in a separate cookie-specific regime.
In practical terms, this means:
- Cookies that collect personal information – analytics cookies that track individual behaviour, advertising retargeting cookies, session cookies tied to user accounts – constitute processing of personal information and require disclosure in your privacy policy.
- You must disclose what cookies you use, what they collect, why you use them, and who has access to the data they generate (for example, Google in the case of Google Analytics).
- For cookies used for direct marketing or behavioural advertising, opt-in consent is required. Placing a pre-ticked consent box or relying on continued browsing as implied consent does not meet this standard.
- A cookie notice or banner that explains what your site uses and provides a genuine choice – including the option to decline non-essential cookies – is best practice and increasingly expected.
The April 2025 regulation amendments strengthened data subject rights around objecting to processing, including through digital channels. Practically, this raises the bar on how consent is captured and how objections must be honoured. A cookie banner that says ‘By using this site you agree to our cookies’ with no opt-out mechanism is not compliant.
For WordPress sites, plugins such as Complianz, CookieYes, or WPML Cookie Law are commonly used to implement cookie consent banners. The key is configuring them correctly – blocking non-essential scripts until consent is given, not merely displaying a notice.
Your Information Officer: A Requirement Most Businesses Ignore
Under POPIA, every organisation that processes personal information must designate an Information Officer. For companies, this is automatically the CEO or managing director unless someone else is formally designated and registered. For smaller owner-managed businesses, it is typically the owner.
The Information Officer’s responsibilities include:
- Ensuring compliance with POPIA across the organisation
- Dealing with requests made by data subjects in terms of POPIA
- Working with the Information Regulator on matters of compliance
- Developing, implementing, and monitoring a POPIA compliance framework
Critically, the Information Officer must be registered with the Information Regulator’s eServices portal. This is not optional and it is not complicated – it is an online registration. The Regulator’s November 2025 media briefing specifically flagged ‘Information Officers appointed on paper only’ as one of the most common ongoing compliance failures: businesses that have technically designated someone but have not registered them with the Regulator, have not given them actual authority, and have not built any real compliance function around the role.
Your privacy policy must include the name and contact details of your Information Officer. If it currently says something like ‘our appointed compliance officer’ with no name and no contact details, it does not meet this requirement.
Contact Forms, Quote Requests, and Email Marketing
Every form on your website that collects personal information is a compliance surface. This includes contact forms, quote request forms, callback request forms, newsletter signups, account registration forms, and checkout forms.
For each form, you need to address:
Purpose disclosure at the point of collection. The data subject must know why you are collecting their information at the moment they provide it. A contact form that collects a name, phone number, and email address should state clearly what that information will be used for – typically, to respond to the enquiry. If you intend to add them to a mailing list, that must be disclosed separately and explicitly.
Consent for direct marketing. Under POPIA, you may only send direct electronic marketing to a person if they have opted in, or if they are an existing customer and the marketing relates to similar products or services. Pre-ticked boxes do not constitute valid consent. The April 2025 amendments strengthened consent requirements and explicitly require that objection mechanisms be accessible via multiple channels – email, SMS, WhatsApp, and others.
Retention. How long do you keep the personal information submitted through your forms? If you have enquiry form submissions sitting in your WordPress database from five years ago that you have never done anything with, you are retaining personal information beyond the period necessary for its purpose – a processing limitation violation.
Third-party access. If your contact form submissions are forwarded to a CRM, a Gmail account, or a marketing platform, those third parties are operators under POPIA. You need a data processing agreement with each of them, and your privacy policy must disclose that these parties have access to the information.
Data Breach Notification: The New eServices Portal Requirement
From 1 April 2025, all data breach notifications to the Information Regulator must be submitted through the Regulator’s eServices portal. Reporting by email or using the older Form SCN1 is no longer the primary accepted method.
Under POPIA, you are required to notify the Information Regulator and affected data subjects of a security compromise as soon as reasonably possible after becoming aware of it. A security compromise is broadly defined – it covers any unauthorised access to, or acquisition of, personal information, including a hacked website, an unauthorised database export, or an employee accidentally emailing personal information to the wrong recipient.
For website owners, the most common breach scenarios are:
- A WordPress site being compromised through an unpatched plugin vulnerability, giving an attacker access to form submission data, user accounts, or the WordPress database
- Customer order data being exposed through a misconfigured WooCommerce installation
- Login credentials being captured through a phishing attack or brute-force attempt
- Third-party services integrated with your site suffering their own breaches, which may expose data you shared with them
The Regulator’s November 2025 briefing reported 284 breach notifications per month – a 40% increase on the prior year. Many of these are WordPress security incidents. If your WordPress site is not actively maintained – meaning plugin updates are applied promptly, security hardening is in place, and backups exist – you are operating with meaningful breach exposure.
The connection between WordPress maintenance and POPIA compliance is direct. A site running outdated plugins is a site with known vulnerabilities. A known vulnerability that results in a breach is a breach you could reasonably have prevented. That distinction matters when the Regulator is deciding whether to treat an incident as a compliance failure.
Data Subject Rights: You Need a Process
POPIA gives data subjects the following rights in relation to their personal information:
- The right to access their personal information held by you
- The right to request correction or deletion of inaccurate, irrelevant, or out-of-date information
- The right to object to the processing of their personal information
- The right to lodge a complaint with the Information Regulator
The key word in each of these is process. You need a documented, functional mechanism to receive and respond to these requests – not just a statement in your privacy policy that says ‘contact us if you have concerns.’
In practice, this means:
- A dedicated contact method for data subject requests – an email address, a form, or a WhatsApp number – clearly disclosed in your privacy policy
- A documented internal procedure for handling requests, with named responsibility and a response timeline
- A response capability: can you actually locate all the personal information you hold on a specific individual across your website’s database, your CRM, your email history, and your marketing platform? If not, you cannot fulfil an access request.
The April 2025 regulation amendments specifically strengthened the right to object and require that objection mechanisms be accessible through multiple channels at no cost to the data subject. This has immediate implications for email marketing unsubscribe processes and for how you handle requests to stop contacting someone.
The POPIA Website Compliance Checklist
Use this checklist to assess where your website currently stands. Each item without a tick is a compliance gap that needs to be addressed.
Privacy Policy
| [ ] | Privacy policy is published on the website and linked from every page (typically in the footer) |
| [ ] | Policy identifies the responsible party by name and contact details |
| [ ] | Policy names the appointed Information Officer with their contact details |
| [ ] | Policy describes what personal information is collected and through which mechanisms |
| [ ] | Policy states the specific purpose for each type of information collected |
| [ ] | Policy discloses all third-party operators who receive personal information |
| [ ] | Policy states retention periods or the criteria used to determine them |
| [ ] | Policy explains how data subjects can access, correct, or request deletion of their information |
| [ ] | Policy includes the Information Regulator’s contact details for complaints |
| [ ] | Policy discloses any cross-border transfers of personal information |
| [ ] | Policy has been reviewed and updated within the past 12 months |
Cookie Consent
| [ ] | Cookie notice or banner is present on the website |
| [ ] | Banner describes what cookies are used and why |
| [ ] | Non-essential cookies (analytics, advertising) are blocked until consent is given – not just disclosed |
| [ ] | Data subjects can decline non-essential cookies without the site denying them core functionality |
| [ ] | Cookie policy or cookie section in privacy policy discloses all third-party scripts that collect data |
Forms and Data Collection
| [ ] | Each form discloses the purpose for which the collected information will be used |
| [ ] | Marketing consent is collected via an explicit opt-in checkbox – not pre-ticked |
| [ ] | Form submissions are cleared from the WordPress database on a defined retention schedule |
| [ ] | A data processing agreement exists with any third-party platform that receives form data |
| [ ] | Newsletter or marketing signup clearly states what subscribers will receive and how often |
Information Officer
| [ ] | An Information Officer has been formally designated |
| [ ] | The Information Officer is registered on the Information Regulator’s eServices portal (inforegulator.org.za) |
| [ ] | The Information Officer’s name and contact details are published in the privacy policy |
| [ ] | The Information Officer has a documented understanding of their POPIA responsibilities |
Security and Breach Preparedness
| [ ] | WordPress core, themes, and plugins are kept up to date with a regular maintenance schedule |
| [ ] | Website hosting includes documented security infrastructure (firewalls, malware scanning, backups) |
| [ ] | Daily or weekly automated backups are in place with an off-site copy |
| [ ] | A procedure exists for identifying and assessing potential security compromises |
| [ ] | Credentials are in place for the Information Regulator’s eServices portal to submit breach notifications |
| [ ] | A documented breach response procedure identifies who does what and within what timeframe |
Data Subject Rights
| [ ] | A dedicated contact method for data subject requests is disclosed in the privacy policy |
| [ ] | A documented internal procedure exists for responding to access, correction, and deletion requests |
| [ ] | Email marketing lists include a functional unsubscribe mechanism on every communication |
| [ ] | The unsubscribe process removes the data subject from all relevant lists promptly and permanently |
What Non-Compliance Actually Costs
The maximum administrative fine under POPIA is R10 million. Criminal liability for certain offences carries a maximum prison term of 10 years. These are the numbers that tend to be quoted, and they are accurate – but they are not the primary risk for most small and medium businesses in South Africa.
The more immediate risks are:
Enforcement notices. The Information Regulator can issue an enforcement notice requiring you to take specific remedial action within a defined timeframe. Failure to comply with an enforcement notice is what escalated the Department of Justice matter to a R5 million fine and subsequent litigation. The fine was not for the original breach – it was for ignoring the Regulator’s instruction to fix it.
Reputational damage. Data breaches, even small ones, are becoming more visible. A notified data breach on a professional services website – an accountant’s firm, a medical practice, a legal office – in a suburb like Northcliff or Randburg where professional reputation is a primary business asset, has consequences that extend beyond the regulatory process.
Loss of contracts. Larger corporate clients are increasingly requiring proof of POPIA compliance before contracting with service providers. A formal compliance framework, a registered Information Officer, and a current privacy policy are becoming standard due-diligence expectations.
Civil claims. Data subjects whose personal information is mishandled can bring civil claims against the responsible party independently of the Regulator’s enforcement process.
None of this requires a catastrophic breach to trigger. A competitor who notices your website has no privacy policy, no cookie consent, and no Information Officer registered with the Regulator can lodge a complaint. The Regulator’s own-initiative inspection programme means you do not need to wait for a breach or a complaint to be investigated.
A Note on WordPress and Compliance
The majority of South African small business websites run on WordPress. This has direct implications for POPIA compliance because WordPress sites have a specific and well-documented attack surface – primarily outdated plugins with known vulnerabilities – and because the plugin ecosystem provides the tools needed to implement many of the compliance requirements above.
Useful WordPress plugins for POPIA compliance:
- Complianz or CookieYes – cookie consent management with script blocking and consent logging
- WP GDPR Compliance or similar – data subject request management and consent records
- UpdraftPlus or similar – automated backup scheduling
- Wordfence or similar – security scanning, firewall, and login protection
- WP Activity Log – audit trail for administrator actions
Installing these plugins is not, by itself, compliance. Each requires configuration specific to your site’s data practices. A cookie consent plugin that is installed but not configured to actually block non-essential scripts before consent is given provides a visual compliance signal without the substance.
The most effective way to close the gap between a technically installed compliance layer and genuine operational compliance is to have a developer review the configuration with your specific data flows in mind – what your site collects, where it sends it, and how it is stored – rather than relying on default plugin settings.
Summary
- POPIA applies to every South African business that processes personal information through its website. There is no small-business exemption.
- The Information Regulator is actively enforcing. Real fines have been issued in 2024 and 2025 against both public and private entities. The 2025/26 Annual Performance Plan signals this trend is accelerating.
- The core website requirements are: a compliant privacy policy, a functioning cookie consent mechanism, disclosed purpose for all forms, a registered Information Officer, a security maintenance programme, and a documented process for data subject requests.
- From 1 April 2025, data breach notifications must be submitted through the Regulator’s eServices portal. If you have a WordPress site with no active maintenance, you have meaningful breach exposure.
- Non-compliance risk is not only about fines. Enforcement notices, reputational damage, loss of contracts, and civil claims are all in scope.
- Most compliance gaps on South African SME websites are addressable with the right configuration, documentation, and maintenance discipline – not with expensive legal infrastructure.
If you are not sure whether your website meets POPIA’s requirements – or if you know it doesn’t and you need someone to address the gaps – our team builds and maintains WordPress sites for Johannesburg businesses with compliance requirements in mind. Explore our website design services or our WordPress maintenance plans, or get in touch with us.
Frequently Asked Questions
Does POPIA apply to my small business website?
Yes. POPIA applies to any person or organisation that processes personal information in South Africa, regardless of size. If your website collects a name, email address, or phone number through any form, you are a responsible party under POPIA. There is no revenue threshold or employee count exemption.
What is the maximum fine for POPIA non-compliance?
The Information Regulator can impose administrative fines of up to R10 million. Certain POPIA offences also carry criminal penalties, including imprisonment of up to 10 years. The Regulator has already imposed fines of R5 million against government departments and R100,000 against private entities. Enforcement is increasing.
Do I need a cookie consent banner on my South African website?
Yes, if your site uses cookies that collect personal information – including analytics cookies and advertising retargeting. You must disclose what cookies you use and why, and obtain opt-in consent for cookies used for direct marketing or behavioural advertising. Continuing to browse does not constitute consent.
What is an Information Officer and do I need to register one?
Every organisation that processes personal information must designate an Information Officer. For owner-managed businesses, this is typically the owner. The Information Officer must be registered on the Information Regulator’s eServices portal at inforegulator.org.za. Failure to register is a compliance violation in itself.
How do I report a data breach under POPIA?
From 1 April 2025, all data breach notifications must be submitted through the Information Regulator’s eServices portal at inforegulator.org.za. You must also notify affected data subjects as soon as reasonably possible. A data breach includes any unauthorised access to personal information, including a hacked WordPress site.
How does POPIA differ from GDPR?
POPIA is South Africa’s own data protection law and applies specifically to processing in South Africa. While it shares structural similarities with GDPR – both regulate how personal information is collected, used, and protected – they are distinct frameworks with different enforcement bodies, penalties, and procedural requirements. A GDPR-compliant privacy policy is not automatically POPIA-compliant, and South African businesses should not rely on a GDPR template as a substitute for proper POPIA documentation.
